Home > CAPEC List > CAPEC-153: Input Data Manipulation (Version 2.10)  

CAPEC-153: Input Data Manipulation

 
Input Data Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 153
Abstraction: Meta
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target. For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

+ Attack Prerequisites
  • The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for most variants of this attack.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017